MD Anderson fined $4.3M for HIPAA violations related to 3 data breaches

In a June 18 release, HHS announced a ruling against the University of Texas MD Anderson Cancer Center in Houston requiring $4.3 million in civil penalties due to three data breaches from 2012 and 2013.  

Personnel at MD Anderson lost a laptop and two thumb drives, containing information about thousands of patients.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

MD Anderson argued the devices did not require encryption because the personal information was for research—meaning it was not subject to HIPAA requirements. A company release from MD Anderson emphasized patient privacy and data security, while disagreeing with the final judgment.

“Patient privacy is of extreme importance at The University of Texas MD Anderson Cancer Center, and substantial measures are in place to ensure the protection of private patient information,” according to MD Anderson’s statement. “In all three cases involving the loss or theft of devices reviewed by the Administrative Law Judge (ALJ), there is no evidence any patient information was viewed or any harm to patients was caused.”

""
Nicholas Leider, Managing Editor

Nicholas joined TriMed in 2016 as the managing editor of the Chicago office. After receiving his master’s from Roosevelt University, he worked in various writing/editing roles for magazines ranging in topic from billiards to metallurgy. Currently on Chicago’s north side, Nicholas keeps busy by running, reading and talking to his two cats.

Trimed Popup
Trimed Popup